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Abstract — A formal belief semantics is given for a constructive, 
first-order authorization logic. The belief semantics is proved to 
subsume a standard Kripke semantics. The belief semantics yields 
a direct representation of principals' beliefs, without resorting to 
the technical machinery used in Kripke semantics. A proof system 
is given for the logic; that system is proved sound with respect 
to the belief and Kripke semantics. The soundness proof for the 
Kripke semantics is mechanized in Coq. 

I. Introduction 

Authorization logics are used in computer security to reason 
about whether principals — computer or human agents — are 
permitted to take actions in computer systems. The distin- 
guishing feature of authorization logics is their use of a "says" 
connective: intuitively, if principal p believes that formula <fi 
holds, then formula p says <fr holds. Access control decisions 
can then be made by reasoning about (i) the beliefs of 
principals, (ii) how those beliefs can be combined to derive 
logical consequences, and (iii) whether those consequences 
entail guard formulas, which must hold for actions to be 
permitted. 

Many systems that employ authorization logics have been 
proposed [1|-[18|, but few authorization logics have been 
given a formal semantics [ 19 1— [22] . Though semantics might 
not be immediately necessary to deploy authorization logics 
in real systems, 

• semantics yield insight into the meaning of formulas, and 

• semantics make it possible to prove the soundness of 
a proof system — which might require proof rules and 
axioms to be corrected, if there are any lurking errors 
in the proof system. 

For the sake of security, it is worthwhile to carry out such 
soundness proofs. Given only a proof system, we must trust 
that the proof system is correct. But given a proof system and 
a soundness proof, which shows that any provable formula 
is semantically valid, we now have evidence that the proof 
system is correct, hence trustworthy. The soundness proof thus 
relocates trust from the proof system to the proof itself — as 
well as to the semantics, which ideally offers more intuition 
about formulas than the proof system itself. 

The intuitive basis for semantics of epistemic logics is usu- 
ally that of possible worlds, as used by Kripke l23l . Semantics 
that use this technique (henceforth, Kripke semantics) posit an 
indexed accessibility relation on possible worlds. If at world 
w, principal p considers world iv' to be possible, then (w,w') 
is in p's accessibility relation. We denote this as w < p w' . 
Authorization logics sometimes use Kripke semantics to give 



meaning to the says connective: semantically, p says <ft holds 
in a world w iff for all worlds w' such that w < p w', formula 
qb holds in world w' . Hence a principal says <f> iff qb holds in 
all worlds the principal considers possible^ 

The use of Kripke semantics in authorization logic thus 
requires installation of possible worlds and accessibility re- 
lations into the semantics, solely to give meaning to says. 
Unfortunately, this approach does not seem to correspond 
to how principals reason in real-world systems. Rather than 
explicitly considering possible worlds and relations between 
them, principals typically begin with some set of base formulas 
they believe to hold — perhaps because they have received 
digitally signed messages encoding those formulas, or perhaps 
because they invoke system calls that return information — then 
proceed to reason from those formulas. So could we instead 
stipulate that each principal p have a set of beliefs uj(p), called 
the worldview of p, such that p says <fi holds iff G ui(p)l 
That is, a principal says qb iff <f> is in the principal's worldview? 

This paper answers that question in the affirmative. We 
give two semantics for an authorization logic: one semantics 
(fflB uses Kripke models, the other ( jlll) introduces belief 
models, which employ worldviews to interpret says@ We show 
(§HV} that belief models subsume Kripke models, in the sense 
that every Kripke model can be transformed into a belief 
model. If a formula is valid in the Kripke model, then it 
is also valid in the belief model. As a result, authorization 
logics can now eliminate the technical machinery of Kripke 
semantics and instead use belief semantics. This semantics 
potentially increases the trustworthiness of an authorization 
system, because the semantics is closer to how principals 
reason in real systems. 

The particular logical system we introduce in this paper 
is FOCAL, First-Order Constructive Authorization Logic. 
FOCAL extends a well-known authorization logic, cut-down 
dependency core calculus (CDD) [28], from a propositional 
language to a language with first-order functions and relations 
on system state. Functions and relations are essential for 
reasoning about authorization in a real operating system — 
as exemplified in Nexus Authorization Logic (NAL) [29 1, of 
which FOCAL is a fragment. FOCAL also simplifies NAL by 
reducing from second-order to first-order quantification, with 
no important loss in expressivity. 

'The says connective is, therefore, closely related to the modal necessity 
operator □ 1241 and the epistemic knowledge operator K 1251 . 

2 Our belief models are an instance of the syntactic approach to modeling 
knowledge f25l-t27l, 



Having given two semantics for FOCAL, we then turn to 
the problem of proving soundness. It turns out that the NAL 
proof system is unsound w.r.t. the semantics presented here: 
NAL allows derivation of a formula our semantics considers 
invalid. A priori, the fault could lie with our semantics or 
with NAL's proof system. However, our examination of the 
formula (cf. WI-Dt suggests that if the logic is to be used in 
a distributed setting without globally-agreed upon state, then 
the proof system should not allow the formula to be derived. 
So if NAL is to be used in such settings, its proof system 
needs to be corrected. 

NAL extends CDD, so CDD is also unsound w.r.t. our 
semantics. However, CDD has been proved sound w.r.t. a 
different semantics ED . This seeming discrepancy — sound 
vs. unsound — illuminates a difference between how NAL and 
CDD interpret says. We discuss that difference in jjVI-EI 

To achieve soundness for FOCAL, we develop a revised 
proof system; the key technical change is adopting localized 
hypotheses in the proof rules. In §|V] we prove the soundness 
of our proof system with respect to both our belief and Kripke 
semantics. This result yields the first soundness proof w.r.t. 
belief semantics for an authorization logic. 

Having relocated trust into the soundness proof, we then 
seek a means to increase the trustworthiness of that proof. Ac- 
cordingly, we formalize the syntax, proof system, and Kripke 
semantics in the Coq proof assistant^ and we mechanize the 
proof of soundness. That mechanization relocates trust from 
our soundness proof to the Coq proof system, which is well- 
studied and is the basis of many other formalizations. The full 
Coq formalization (including the formalization of FOCALE, 
discussed next) contains about 4,000 lines of code and re- 
quired about four person-months for us, as Coq neophytes, to 
develop^ The mechanization effort was worthwhile in that it 
exposed various bugs in our semantics that might otherwise 
have remained unnoticed. 

Finally, we extend FOCAL to include the advanced features 
found in NAL: restricted delegation, subprincipals, and inten- 
sional group principals (cf. Wil l. These features, along with 
first-order functions and relations, can be used to implement 
the authorization system of an operating system built on a 
trusted platform module [18], and they enable rich reasoning 
about axiomatic, synthetic, and analytic bases for authorization 
of actions [29 1 . We call our extended logic FOCALE; it is quite 
similar to NAL, though there are some deliberate differences 
(cf. jjVIt . We give belief and Kripke semantics for FOCALE, 
give a proof system for FOCALE, and show the soundness of 
the proof system w.r.t. the belief semantics. We also show 
soundness w.r.t. the Kripke semantics and mechanize that 
proof in Coq. As a result, we obtain the first soundness proof 
for an authorization logic with intensional group principals. 

We proceed as follows. ^11] presents FOCAL and its belief 
semantics. $Hll gives a Kripke semantics for FOCAL. jjlVI 
proves the relationship of the belief semantics to the Kripke 

'http://coq.inria.fr 

4 Our implementation is available from 

http://faculty.cs. gwu.edu/~ clarkson/projects/focale/ 



T "= X \ /(t,...,t) 

::= true | false | r(r, ...,r) | T\ = 

I 01 A 02 | 01 V 02 | 01 => 02 | -'0 

| (Vs : 0) | (3 s : 0) 

| r says | t\ speaksfor t-i 

Fig. 1. Syntax of FOCAL 

semantics. §|V]gives a proof system for FOCAL and proves its 
soundness w.r.t. the Kripke semantics. 3 VII develops FOCALE 
by showing how to extend FOCAL's semantics and proof 
system to handle NAL's advanced features. Will discusses 
related work, and SIVIIII concludes. All proofs appear in ap- 
pendix [A] Some familiarity with epistemic logics, constructive 
logics, and their Kripke semantics is assumed. Readers who 
seek background in these areas can consult standard references 

(e.g., ma, ed). 

II. Belief Semantics 

FOCAL is a constructive, first-order, multimodal logic. The 
key features that distinguish it as an authorization logic are 
the "says" and "speaks for" connectives, invented by Lampson 
et al. [1|. These are used to reason about authorization — for 
example, access control in a distributed system can be modeled 
in the following standard (albeit stylized) way: 

Example 1. A guard implements access control for a printer 
p. To permit printing to p, the guard must be convinced that 
guard formula PrintServer says printTo{p) holds, where 
PrintServer is the principal representing the server process. 
That formula means that PrintServer believes printTo(p) 
holds. To grant printer access to user u, the print server can 
issue the statement u speaksfor PrintServer. That formula 
means anything u says, the PrintServer must also say. So if 
u says printTo{p), then PrintServer says printTo(p), which 
satisfies the guard formula hence affords the user access to 
the printer. 

Figure Q] gives the formal syntax of FOCAL. There are 
two syntactic classes, terms r and formulas 0. Metavariable x 
ranges over first-order variables, / over first-order functions, 
and r over first-order relations. 

Formulas of FOCAL do not permit monadic second-order 
universal quantification, unlike CDD and NAL. In NAL, which 
is an extension of CDD, that quantifier was used only to define 
false and speaksfor as syntactic sugar. FOCAL instead adds 
these as primitive connectives to the logic. This simplification 
reduces the logic from second-order down to first-order. 

A. Semantic models 

The belief semantics of FOCAL is based on a combination 
of two standard semantic models — first-order models and 
constructive models — with worldviews, which are used to 
interpret says and speaksfor. To our knowledge, this semantics 
is new in the study of authorization logics. Our presentation 
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mostly follows the semantics of intuitionistic predicate calcu- 
lus given by Troelstra and van Dalen [ 30 1 . 

First-order models: A first-order model with equality is 
a tuple (D,=, R, F). The purpose of a first-order model is 
to interpret the first-order fragment of the logic, specifically 
first-order quantification, functions, and relations. D is a set, 
the domain of individuals. Semantically, quantification in the 
logic ranges over these individuals. R is a set {r^ | i G /} 
of relations on D, indexed by set /. Likewise, F is a set 
{fj | j G J} of functions on D, indexed by set J. There is 
a distinguished equality relation =, which is an equivalence 
relation on D, such that equal individuals are indistinguishable 
by relations and functions. 

To interpret first-order variables, the semantics employs 
valuation functions, which map variables to individuals. De- 
note the individual that variable x represents in valuation v as 
v(x). 

Constructive models: A constructive model is a tuple 
(W,<,s). The purpose of constructive models is to extend 
first-order models to interpret the constructive fragment of the 
logic, specifically implication and universal quantification. W 
is a set, the possible worlds. We denote an individual world as 
w. Intuitively, a world w represents the state of knowledge of a 
constructive reasoner. Constructive accessibility relation < is a 
partial order on W . If w < w', then the constructive reasoner's 
state of knowledge could grow from w to «/. Function s is 
the first-order interpretation function. It assigns a first-order 
model (D w , = w , R W ,F W ) to each world w. Let the individual 
elements of R w be denoted {ri W \ i G /}; likewise for F w , 
as {fj,w I j £ J}- Thus, s enables a potentially different 
first-order interpretation at each world. But to help ensure that 
the constructive reasoner's state of knowledge only grows — 
hence never invalidates a previously admitted construction — 
we require s to be monotonic w.r.t. <. That is, if w < w' 
then (i) D w G D w i, (ii) d — w d! implies d — w i d' , (iii) 
fi, w Ti. W ', and (iv) for all tuples d of individuals, it holds 
that fj, w {d) = w fj, w '(d). 

It's natural to wonder why we chose to introduce possible 
worlds into the semantics here after arguing against them in 
|JD Note, though, that the worlds in the constructive model 
are being used to model only the constructive reasoner — 
which we might think of as the guard, who exists outside 
the logic and attempts to ascertain the truth of formulas — 
not any of the principals reasoned about inside the logic. 
Moreover, we have not introduced any accessibility relations 
for principals, but only a single accessibility relation for the 
constructive reasoner. So the arguments in §|I] don't apply 
here. It would be possible to eliminate our usage of possible 
worlds by employing a Heyting algebra semantics 0T1 of 
constructive logic. But possible worlds blend better with our 
eventual introduction of accessibility relations for principals 
in 11 

It's also natural to wonder why FOCAL is constructive 
rather than classical. Schneider et al. ll29l write that con- 
structivism preserves evidence: "Constructive logics are well 
suited for reasoning about authorization. . . because construc- 



tive proofs include all of the evidence used for reaching a 
conclusion and, therefore, information about accountability is 
not lost. Classical logics allow proofs that omit evidence." 
Garg and Pfenning [32| also champion the notion of evidence 
in authorization logics, writing that "[constructive logics] keep 
evidence contained in proofs as direct as possible." So we 
chose to make FOCAL constructive for the sake of evidence. 
Regardless, we believe that a classical version of FOCAL 
could be created without difficulty. 

Belief models: A belief model is a tuple (W, <, s, P, uj). 
The purpose of belief models is to extend constructive models 
to interpret says and speaksfor. The first part of a belief model, 
(W,<,s), must itself be a constructive model. The next part, 
P, is the set of principals. Although individuals can vary from 
world to world in a model, the set of principals is fixed across 
the entire model@ Because we make no syntactic distinction 
between individuals and principals, all principals must also be 
individuals: P must be a subset of D w for every w. We define 
an equality relation = on principals, such that p = p' iff there 
exists a w such that p = w p' . 

The final part of a belief model, worldview function ui, 
yields the beliefs of a principal p: the set of formulas that p 
believes to hold in world w under valuation v is u)(w : p, w)0 
To ensure that the constructive reasoner's knowledge grows 
monotonically, worldviews must be monotonic w.r.t. <: 

Worldview Monotonicity: If w < w' then uj(w,p,v) G 
u(w',p, v). 

And to ensure that whenever principals are equal they have 
the same worldview, we require the following: 

Principal Equality (Belief): If p = p', then, for all w 

and v, it holds that ui(w,p,v) — uj(w,p' ,v). 

B. Semantic validity 

Figure [2] gives a belief semantics of FOCAL. The validity 
judgment is written B,w,v |= <fi where B is a belief model and 
w is a world in that model. As is standard, B \= <fi holds iff, for 
all w and v, it holds that B,w,v \= <fi; whenever B \= <fi, then 
is a necessary formula in model B. And B,v \= 4> holds 
iff for all w, it holds that B,w,v \= <fi; whenever B,v (= cj>, 
then <fi is a valuation-necessary formula. Likewise, (= <fr holds 
iff, for all B, it holds that B \= <jr, and whenever |= <p, then 
4> is a validity. Finally, let B,w,v \= V, where T is a set of 
formulas, denote that for all ijj G T, it holds that B,w,v \= i/j. 

The semantics relies on an auxiliary interpretation function 
/i that maps syntactic terms r to semantic individuals: 

fj,(x) = v(x) 

5 This assumption is consistent with other constructive multimodal log- 
ics 1331 . 1341 . which have a fixed set of modalities (just □ and 0), and 
with classical multimodal epistemic logics 1251 . which have an indexed set 
modalities (typically denoted Ki). 

6 For sake of simplicity, ijjused notation tu(p) when first presenting the 
idea of worldviews. Now that we're being precise, u needs two additional 
arguments: constractivity necessitates w, and first-orderedness necessitates v. 
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Fig. 2. FOCAL validity judgment for belief semantics 



Implicitly, /1 is parameterized on B, w, and v, but we omit 
writing these for notational simplicity. 

The first-order, constructive fragment of the semantics is 
routine. The semantics of says is the intuitive semantics we 
wished for in A principal p,(r) says </> exactly when <f> 
is in that principal's worldview uj(w, p,(r), v). And a prin- 
cipal /j(ti) speaks for another principal ufa) exactly when 
worldview uj(w, fi(ri),v) of p,(ri) is a subset of worldview 
U!(w, /x(t2), v) of Ufa) — hence everything /j(ti) says, ufa) 
also says. 

Note that some syntactic terms may represent individuals 
that are not principals For example, the integer 42 is pre- 
sumably not a principal in P, but it could be an individual 
in some domain D w . Users of the logic could therefore write 
non-sensical formulas such as 42 says (f>, assuming that 42 is a 
syntactic term. Such formulas would never hold semantically, 
because 42 does not have a worldview. 

We impose a few well-formedness constraints on world- 
views in this semantics, in addition to Worldview Monotonic- 
ity and Principal Equality (Belief). First, worldviews must 
be deductively closed — that is, principals must believe all the 
formulas that can be deduced from their beliefs. Let T h <fi 
denote that formula <fi can be deduced from set T of formulas 
(we give a formal definition of relation h in jjVt : 

Deductive Closure: If V C co(w,p, v) and rh^i, then 
t/j e oj(w,p, v). 

Deductive closure is closely related to logical omniscience, 
which, with its known benefits and flaws 031 . [36], has 
been a standard assumption in authorization logics since their 
inception [1]. Although it might seem somewhat unusual to 
define this part of the semantics of FOCAL in terms of the 
proof system, it models our intuition that principals begin with 
a base set of beliefs and derive consequences @ NAL's l29l 

7 We could make FOCAL a two-sorted logic, with one sort for individuals 
and another sort for principals. But having only a single sort is definitionally 
simpler. Another alternative would be to coerce individuals to principals — for 
example, treat 42 as the principal who believes only necessities (i.e., the _L 
principal defined in jlVH . 

8 It would be possible to replace Deductive Closure with a purely semantic 
definition. But to maintain the results of jllVI the Kripke semantics of says 
in jjllll would need to be adjusted. 



informal worldview semantics uses the same intuition. 

Second, worldviews must ensure that says is a transparent 
modality — that is, for any principal p, it holds that p says <f> 
exactly when p says (p says <f): 

Says Transparency: <f) <= ^i w , l l ( T ), v ) iff T sa Y s 4> S 

w(w,/i(Y),7j). 

So says supports positive introspection: if p believes that (j> 
holds, then p is aware of that belief, therefore p believes that 
p believes that cf) holds. Moreover, the converse of that holds 
as well. Recent authorization logics include transparency |29], 
l38l . and it is well known (though sometimes vigorously 
debated) in epistemic logic [24], [39|. 

Third, worldviews must enable principals to delegate, or 
hand-off, to other principals: If a principal p believes that 
p' speaksfor p, it should hold that p' does speak for p: 

Hand-off: If (r speaksfor r') € /x(t'), w) then 

u(w,ii(t),v) Cuj(w,p(t'),v). 

Hand-off, as the following axiom, existed in the earliest 
authorization logic [1], though not all logics since then have 
included it: 

(r' says (r speaksfor r')) =>■ (r speaksfor r') (1) 

Each of these well-formedness conditions is necessary to 
achieve the soundness result of 5jV] because the proof system 
there includes rules that correspond to the conditions. But with 
appropriate changes to the proof system, any of the conditions 
could be eliminated. 

III. Kripke Semantics 

The Kripke semantics of FOCAL is a combination of 
three standard kinds of semantic models: first-order models, 
constructive models, and modal (Kripke) models. Similar 
semantic models have been explored before (see, e.g., [22 1, 
ll33l ). though we are not aware of any authorization logic 
semantics that is equivalent to or subsumes our semantics. 
First-order and constructive models were already presented in 
fllTl so we begin here with modal models. 
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K,w,v \= t says tj> iff for all w', w" : w < w' < M ( T ) w" implies M, w", v \= <f> 

K,w,v |= T\ speaksfor T2 iff Reach Acc(/i(ti) , w) D Reach Acc(fi(r2) , w) 

K, w, v \= . . . iff same as figure [2] but substituting K for B 

Fig. 3. FOCAL validity judgment for Kripke semantics 



A. Modal models 

A modal model is a tuple (W, <,s,P,A). The purpose of 
a modal model is to extend constructive models to interpret 
says and speaksfor. The first part of a modal model, (W, <, s), 
must itself be a constructive model. The next part, P, is the 
set of principals. As with belief models, all principals must be 
individuals, so P must be a subset of D w for every w. Principal 
equality relation = is defined just as in belief models. The final 
part of a modal model, A, is a set {< p | p G P} of binary 
relations on W, called the principal accessibility relations^] 
If w < p w' , then at world w, principal p considers world w' 
possible. To ensure that equal principals have the same beliefs, 
we require 

Principal Equality (Kripke): If p = p', then < p = < p >. 

Like < in a constructive model, we require s to be monotonic 
w.r.t. each < p . This requirement enforces a kind of construe - 
tivity on each principal p, such that from a world in which 
individual d is constructed, p cannot consider possible any 
world in which d has not been constructed. Unlike <, none of 
the < p are required to be partial orders: they are not required 
to satisfy reflexivity, anti-symmetry, or transitivity. 

That non-requirement raises an important question. In epis- 
temic logics, the properties of what we call the "principal 
accessibility relations" determine what kind of knowledge is 
modeled 12511 . If, for example, these relations must be reflex- 
ive, then the logic models veridical knowledge: if p says </>, 
then cf> indeed holds. But that is not the kind of knowledge 
we seek to model with FOCAL, because principals may say 
things that in fact do not hold. So what are the right properties, 
or frame conditions, to require of our principal accessibility 
relations? We briefly delay presenting them, so that we can 
present the Kripke semantics. 

B. Semantic validity 

Figure [3] gives a Kripke semantics of FOCAL. The validity 
judgment is written K,w,v \= <fi where if is a modal model 
and w is a world in that model. Only the judgments for the 
says and speaksfor connectives are given in figure [3] For 
the remaining connectives, the Kripke semantics is the same 
as the belief semantics in figure [2] Interpretation function /i 
remains unchanged from §Ql] except that it is now implicitly 
parameterized on K instead of B. 

To understand the semantics of says, first observe the 
following. Suppose that, for all worlds w', it holds that w < w' 

9 In our notation, an unsubscripted < always denotes the constructive 
relation, and a subscripted < always denotes a principal relation. 



implies w = it/0 Then the semantics of says simplifies to 

K,w,v |= t says <fi 

iff for all w" : w < M ( T ) w " implies K,w,v \= (f>, 

which is the standard semantics of □ in classical modal 
logic [24|: a principal believes a formula holds whenever that 
formula holds in all accessible worlds. 

The purpose of the quantification over w', where w < w' , in 
the unsimplified semantics of says is to achieve monotonicity 
of the constructive reasoner: 

Proposition 1. If K , w, v (= (j> and w < w' then K, w' , v |= <j>. 

That is, whenever tfi holds at a world w, if the constructive 
reasoner is able to reach an extended state of knowledge at 
world w', then <f> should continue to hold at w'. Without the 
quantification over w' in the semantics of says, monotonicity 
is not guaranteed to hold. Constructive modal logics have, 
unsurprisingly, also used this semantics for □ 1331 . l34l . 

Note that, if there do not exist any worlds w' and w" such 
that w < w' < M ( T ) w '' '> then at w, principal r will say any 
formula <f>, including false. When a principal says false at world 
w, we deem that principal compromised at w. 

The semantics of speaksfor uses an auxiliary function 
Reach Acc(p,w), which yields the component of < p that is 
reachable from, or reaches to, world w. Formally, let G p be 
the undirected graph with nodes W and edges < U < p . And 
let [w] p be the set of worlds w' such that w' and w are in the 
same connected component of G p . Then ReachAcc is defined 
as followsO 

Reach Acc(p,w) = < P \[ w ] p - 

So ReachAcc(p,w) contains edge (w',w") iff that edge is 
already present in < p , and moreover w' and w" are reachable 
from w by following any path that contains edges from either 
< p or <. 

To understand the semantics of speaksfor, observe that 
whenever [w] p equals W, it holds that ReachAcc(p, w) equals 
< p . So the semantics simplifies to 

K,w,v |=ti speaksfor t 2 iff < M ( Tl ) 3 <m(t 2 )- ( 2 ) 

That is, the accessibility relation of t\ must be a superset of 
the accessibility relation of t 2 . That definition is standard in 
classical authorization logics |19|, |20|. 

10 This condition corresponds to the axiom of excluded middle, hence its 
imposition creates a classical variant of FOCAL. So it makes sense that adding 
the frame condition would result in the classical semantics of □. 

"if R is a binary relation on set A, then R \ x is the restriction of R to A, 
where X C A. That is, R\ x = {(x, x') \ (x, x') e R and x g X and x' £ 
X}. 
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However, the classical definition has a surprising interaction 
with hand-off (Q3: 

Example 2. Consider a world w. Suppose there do not exist 
any worlds w' and w" such that w < w' <p(r) w". Then at 
world w, principal r is compromised: it says false, and also 
says any other formula (f>. 

Let <p be r' speaksfor r. Then it holds, for any principal t', 
that K,w,v |= t says (r' speaksfor r). By hand-off we then 
have K,w,V |= r' speaksfor r. By f/ze classical semantics 
of speaksfor, we have < M ( r ') 3 ^0)- So accessibility 
relation must be a subset of all other principal's accessibility 
relations. In the extreme case, if there is a principal whose 
accessibility relation is empty, t's relation must also be empty. 

Therefore, if there ever is any world w at which principal r 
is compromised, then r 's accessibility relation must be empty. 
That means if r is compromised at one world, r must be 
compromised at all worlds. 

As a result, the constructive reasoner is immediately forced 
to recognize that a principal is compromised, even if the 
reasoner is in a minimal state of knowledge (i.e., at a world 
w at which there do not exist any worlds v such that v < w.) 
The reasoner is not allowed to wait until some greater state of 
knowledge to discover that a principal is compromised. This 
seems to be an intuitionistically undesirable feature. 

We therefore relax the classical semantics of speaksfor by 
using Reach Acc: 

K,w,v |= T\ speaksfor T2 

iff ReachAcc((i(ri) , w) D ReachAcctfifo) , w) (3) 

This is the semantics we adopt in FOCAL. With it, only 
the components of the accessibility relations that are locally 
reachable from w need to be considered. So a principal could 
be entirely compromised in some set of worlds not reachable 
from w, but that principal need not be compromised at w. 

We've now seen two semantics of speaksfor (O, @ that 
validate hand-off. That raises a question: what is the most 
permissive semantics of speaksfor (meaning that it allows as 
many models as possible) that validates hand-off? We don't 
know. One way to answer this question would be to show 
completeness of the FOCAL proof system. We leave that as 
future work. 

C. Frame conditions 

We now return to the discussion begun in §MI-AI of the 
frame conditions for FOCAL. The first two frame conditions 
we impose help to ensure Says Transparency. 

IT: If w <p u < p v, then there exists a w' such that 

w < w' < p V. 

ID: If w < p v, then there exists a w' and u such that 

w < w' < p u < p v. 

12 We indeed will require the existence of such a principal, which we notate 
as T, in ^Vj 
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Fig. 4. Frame conditions for Kripke semantics 



Figure @] depicts these conditions; dotted lines indicate exis- 
tentially quantified edges. IT helps to guarantee if p says (j> 
then p says {p says </>); ID does the conversed 

Note how, if w — w', the conditions reduce to the clas- 
sical definitions of transitivity and density. Those classical 
conditions are exactly what guarantee transparency in classical 
modal logic. 

IT and ID are not quite sufficient to yield transparency. But 
by also imposing the following frame condition, we do achieve 
transparency^ 

F2: If w < p v < v', then there exists a w' such that 

w < w' < p v' . 

F2 is depicted in figure [4] It is difficult to motivate F2 solely 
in terms of authorization logic, though it has been proposed in 
several Kripke semantics for constructive modal logics ||34ll , 
1 40 1 — 1 4-2 1 . But there are two reasons why F2 is desirable for 
FOCAL: 

• Assuming F2 holds, IT and ID are not only sufficient but 
also necessary conditions for transparency — a result that 
follows from work by Plotkin and Stirling ll40l . So in 
the presence of F2, transparency in FOCAL is precisely 
characterized by IT and ID. 

• Suppose FOCAL were to be extended with a modal- 
ity. It could be written t suspects <j>, with semantics 
K,w,v \= t suspects iff there exists w' such that 
w <ii,M w ' an d K,w',v \= (j>. We would want says 
and suspects to interact smoothly. For example, it would 
be reasonable to expect that -i(r suspects </>) implies 
t says —i(j>. For if r does not suspect <p holds anywhere, 
then t should believe ^<f> holds. Condition F2 guarantees 
that implication ll40l . So F2 prepares FOCAL for future 



13 IT and ID are abbreviations for intuitionistic transitivity and intuitionistic 
density. We use the term "intuitionistic" instead of "constructive" just to avoid 
confusion: CT might be read as classical or constructive transitivity. 

14 F2 is the name given this condition by Simpson 1341 . 
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extension with a suspects modality! I 

Like the constraints imposed on worldviews in §III-BI IT, 
ID, and F2 are used to achieve the soundness result of §|V] 
But with appropriate changes to the proof system, the frame 
conditions could be eliminated. 

Finally, to ensure the validity of hand-off, we impose the 
following frame condition: 

H: For all principals p and worlds w, if there do not 
exist any worlds w' and w" such that w < w' < p w" , 
then, for all p', it must hold that ReachAcc(p,w) C 
ReachAcc(p' , w). 

This condition guarantees that if a principal p becomes com- 
promised at world w, then the reachable component of its 
accessibility relation will be a subset of all other principals'. 
By the FOCAL semantics of speaksfor, all other principals 
therefore speak for p at w, thus hand-off (fl} from jMI-BI is 
valid. 

IV. Semantic Transformation 

We have now given two semantics for FOCAL, a belief 
semantics (^TJi and a Kripke semantics ( jllB . Naturally, the 
question arises: how are these two semantics related? It turns 
out that the Kripke semantics can be soundly transformed into 
the belief semantics; but the Kripke semantics treats speaksfor 
differently than does the belief semantics — as we now explain. 

Given a modal model K, there is a natural way to construct 
a belief model from it: assign each principal a worldview 
containing exactly the formulas that the principal says in K. 
Call this construction k2b, and let k2b(K) denote the resulting 
belief model. 

To give a precise definition of k2b, we need to introduce 
a new notation. Given semantic principal p, formula p says <fi 
is not necessarily well-formed, because p is not necessarily 
a syntactic term. So let K,w,v \= p says <fi be defined as 
follows: for all w 1 and w" such that w < w' < p w", it 
holds that K,w",v \= <fi. This definition simply unrolls the 
semantics of says to produce something well-formed^! 

The precise definition of k2b is as follows: if K = 
(W, <,s,P, A), then k2b{K) is belief model (W, <,s,P, lu), 
where uj(w,p, v) is defined to be {<$> \ K , w, v \= p says </>}. 

Our first concern is whether k2b(K) satisfies all the con- 
ditions required by ^TT] Worldview Monotonicity, Principal 
Equality (Belief), Deductive Closure, Says Transparency, and 
Hand-off. If a belief model B does satisfy these conditions, 
then B is well-formed. Construction k2b does, indeed, produce 
well-formed belief models: 

15 Were suspects to be added to FOCAL, it would also be desirable to 
impose a fourth frame condition: if ui < to' and w < p v, then there 
exists a v' such that v < v' and w' < p v' . This condition, named Fl by 
Simpson [34], guarantees |40| that r suspects </> implies —i(t says —*<j>). It 
also guarantees monotonicity (cf. proposition [TJ for suspects. Figure f4]depicts 
Fl. Simpson [34. p. 51] argues that Fl and F2 could be seen as fundamental, 
not artificial, frame conditions for constructive modal logics. 

16 Another solution would be to stipulate that every principal p can be named 
by a term p in the syntax. 



Proposition 2. For all well-formed K, belief model k2b(K) 
is well-formed. 

Modal model K is well-formed if it satisfies all the conditions 
required by ^TTTl Principal Equality (Kripke), IT, ID, F2, and 
H. 

Our second concern is whether k2b(K) preserves the va- 
lidity of formulas. In particular, if a formula is valid in K, it 
should remain so in k2b(K). Construction k e 2b does preserve 
validity: 

Theorem 1. For all K, w, v, and <j>, if K,w,v \= <p then 
k2b{K),w,v \= <j). 

The converse of theorem fl] however, does not hold. The 
problem is that some speaksfor formulas might be invalid in 
K yet become valid in k c 2b(K). If, for example, principals p 
and q say all the same formulas in K, but their accessibility 
relations < p and < q are not the same, then they don't speak 
for each other in the Kripke semantics. Yet in k2b(K), their 
worldviews will be equal, so they will speak for each other in 
the belief semantics. 

This "feature" of the accessibility-relation based definition 
of speaksfor — that principals might not speak for each other 
yet have the same beliefs — is well-known. ABLP [19] and 
Howell [ 20 1 both identified definitions of speaksfor that would 
result in full equivalence of the belief and Kripke semantics 
of FOCAL; Howell calls this definition weak speaks-for and 
writes, "[0]ne may wonder why [ABLP] preferred a definition 
of speaks-for that was stronger than it needed to be. The 
intuition seems to be that [in A speaksfor B] the stronger 
semantics captures the fact that A understands £>'s reasons for 
believing various statements" ||20l p. 43]. FOCAL adopts the 
stronger semantics of speaksfor for consistency with this prior 
work. Nonetheless, to obtain full equivalence of Kripke model 
to the constructed belief model, FOCAL could be modified to 
adopt the weak semantics. 

We might wonder whether there is a construction that can 
soundly transform belief models into Kripke models. Consider 
trying to transform the following belief model B into a Kripke 
model: 

B has a single world w and a proposition (i.e., a 
nullary relation) X, such that, for all v, it holds 
that B,w,v Y= X. Suppose that principal p's 
worldview contains X — i.e., for all v, it holds that 
X G uj(w,p,v) — and that p's worldview does not 
contain false. By the semantics of says, it holds that 
B,w,v \= p says X. 
When transforming B to a Kripke model K, what edges could 
we put in < p ? There are only two choices: < p could be empty, 
or < p could contain the single edge (w,w). If < p is empty, 
then p is compromised, hence p says false. That contradicts our 
assumption that false is not in p's worldview. If w < p w, then 
for w' and w" such that w < w' < p w", it does not hold that 
K, w" , v \= <p — because w and w" can only be instantiated as 
w, and B,w,v \£ X. Hence p does not say X. That contradicts 
our assumption that X is in p's worldview. So we cannot 
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Fig. 5. FOCAL derivability judgment 



construct an accessibility relation < p that causes the resulting 
Rripke semantics to preserve validity of formulas from the 
belief semantics. 

There is, therefore, no construction that can soundly trans- 
form belief models into Kripke models — unless, perhaps, the 
set of worlds is permitted to change. It might be possible to 
synthesize a new set of possible worlds, and equivalence rela- 
tions on them, yielding a Kripke model that preserves validity 
of formulas from the belief model. We are investigating this 
possibility in ongoing work. 

V. Proof System 

FOCAL's derivability judgment is written T h where T is 
a set of formulas called the context^ As is standard, we write 
h when r is the empty set. In that case, is a theorem. We 
write r, to denote T U {0}. 

Figure presents the proof system. In it, <P[t/x] denotes 
capture-avoiding substitution of r for x in 0. The first-order 
fragment of the proof system is routine (e.g., P31 - P31 ). 
SAYS-LRI, SAYS-LI, and SAYS-RI use notation r says T, which 
means that r says all the formulas in set T. Formally, r says T 
is defined as {r says | G T}. 

SAYS-LRI corresponds [24| to standard axiom K from 
epistemic logic; SAYS-RI, to standard axiom 4; and SAYS-LI, 

l7 These formulas are localized hypotheses, which the proof system uses 
instead of the hypothetical judgments found in natural deduction systems. 
Similar to the left-hand side T of a sequent T =^ A, the localized hypotheses 
are assumptions being used to derive right-hand side A. Unlike a sequent, V 
is a set, not a sequence. 



to the converse C4 [38], [46] of 4: 

K : (p says (0 =>■ ip)) => (p says 0) => (p says i/j) 

4 : (p says 0) =>■ (p says (p says 0)) 

C4 : (p says (p says 0)) =>■ (p says 0) 

K and SAYS-LRI mean that modus ponens applies inside says. 
They correspond to Deductive Closure. Because of SAYS-LRI 
and IMP-I, the deduction theorem holds for FOCAL [47 1. C4 
and 4, along with SAYS-LI and SAYS-RI, mean that p says 
(p says 0) is equivalent to p says 0; they correspond to Says 
Transparency. In the Kripke semantics, SAYS-RI corresponds 
to IT; and SAYS-LI, to ID. 

SF-I corresponds to hand-off ([Q. SF-E uses speaksfor to 
deduce beliefs. SF-R and SF-T state that speaksfor is reflexive 
and transitive. 

The usual sequent calculus structural rules of contraction, 
substitution and exchange are all admissible. But WEAK is not 
admissible: it must be directly included in the proof system, 
because the conclusions of SAYS-{LRl,Ll,Rl} capture their 
entire context T inside says. 

Our first soundness theorem for FOCAL states that if 
is provable from assumptions T, and that if a belief model 
validates all the formulas in V, then that model must also 
validate 0. Therefore, any provable formula is valid in the 
belief semantics: 

Theorem 2. If T h and B,w : v \= T, then B,w,v \= 0. 

This result is, to our knowledge, the first proof of soundness 
for an authorization logic w.r.t. a belief semantics. 

Our second soundness theorem for FOCAL states that any 
provable formula is valid in the Kripke semantics: 
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Theorem 3. IfT\-<j> and K,w,v \= T, then K,w,v \= <fi. 

We have mechanized the proof of theorem|3]in Coq. We expect 
that, with additional effort, the proof of theorem |2] could also 
be mechanized. 

VI. Case Study: NAL 

We now show how to extend FOCAL to a logic that we call 
FOCALE (for FOCAL Extended). FOCALE adds to FOCAL 
the connectives and features found in Nexus Authorization 
Logic (NAL) [29 1 — specifically, restricted delegation, sub- 
principals, and intensional group principals. Supporting these 
features requires non-trivial extensions to the semantic models 
of ^11] and ifllll We chose to study NAL in part because it 
has been used to implement the authorization subsystem of a 
real operating system flip , which makes NAL a very practical 
authorization logic. 

FOCALE extends the FOCAL syntax (figure [TJ as follows: 

t ::= ... | ti.t 2 | {x : 0} 

(f) ::= ... | t\ speaksfor r 2 on (x : qb) 

These new syntactic forms are explained, next. 

When a principal t 2 is implemented by another principal 
Ti, such that T\ can completely control t 2 's actions, then t 2 
is a subprincipal of t\, and t\ is a superprincipal of r 2 . That 
relationship is denoted T\.T2- For example, an operating system 
OS running on a CPU would be a subprincipal CPU. OS. 
And a process proc executed by that operating system would 
be (CPU .OS). proc. Since t\ completely controls the actions 
of ti.t 2 , anything t\ believes is also a belief of ti.t 2 . 

An intensional group principal is a principal whose be- 
liefs are an aggregation of the beliefs of other principals. 
It is "intensional" because it is defined by a characteristic 
predicate: group {x : qb} is the principal whose beliefs are 
the aggregation of the beliefs of all principals x who satisfy 
formula qb, where x is free in qb. Aggregation in NAL, hence 
in FOCALE, means union followed by deductive closure. So 
groups are disjunctive 

E 

For example, formula is a belief of 
group {x : x — Alice V x = Bob} if qb is a belief of Alice, or 
is a belief of Bob, or can be deduced from the union of the 
beliefs of Alice and Bob. Because of group principals, terms 
and formulas are now mutually recursive syntactic classes. 

Finally, restricted delegation is a limited form of speaksfor 
in which a principal delegates only partial authority to another 
principal. When t\ speaksfor r 2 on (x : qb), only on statements 
qb with free variable x does t% speak for r 2 : 

Example 3.1fu speaksfor PrintServer on (p : printTo(p)), 
then whenever user u says printTo (lab Printer), it will be 
as if PrintServer says printTo (lab Printer). But if u says 
a formula -0 not of the form (p : printTo (p)) — for example, 
u says empty PrintQueue(labPrinter) — then it will not be as 
if PrintServer says ip. 

18 There would be no problem denning conjunctive groups based on inter- 
section of beliefs, but NAL does not include them so neither does FOCALE. 



A. FOCALE belief semantics 

A FOCALE belief model is a tuple (W, <, s, P, uj, U, 1, T). 
The first part of a FOCALE belief model, (W, <, s, P, uj), must 
be a belief model as in 3H-AI The remaining parts of the model 
are used to interpret group and subprincipals. 

To interpret group principals, we now require set P of 
principals to form a join semilattice under join operation U. 
The lattice must have a bottom element _L and top element T. 
Principal T believes every formula, including false, whereas 
principal _L believes only valuation necessities (cf. {3H-BI ). Join 
operator U is used to take disjunctions of principals: p U q 
is the principal who believes those statements that either p 
or q believe, or statements that can be deduced from those. 
Formally, we require that the following condition holds: 

Group Principal (Belief): For all principals p and q, 
and for all w and v, worldview uj(w, (p U q),v) is the 
deductive closure of ui(w,p, v) U uj(w, q, v). 

To interpret subprincipals, we now require the existence of a 
distinguished first-order function sub w at each world w. Given 
principal p and individual d, function sub w (p, d) yields the 
principal q that corresponds to d as implemented by p. For all 
p and d, we require that ui(p) C ui(sub w (p, d)) holds, so that 
subprincipals are guaranteed to believe any formula believed 
by a superprincipal. 

Interpretation function [i is now extended to handle subprin- 
cipals and group principals: 

v(n.T 2 ) = sw6 w (/x(ri),//(r 2 )) 
fi({x : 0}) = □ p 

p : B,w,v[p/x] |— (p 

As in ^Ul function [i is implicitly parameterized on B, w, 
and v. The interpretation of subprincipals is straightforward: 
simply interpret each term individually, then use sub w to yield 
the subprincipal. Group principals are interpreted by taking the 
join over all principals p who satisfy formula qb. If no principal 
satisfies qb, the result of the empty join is L. 

The semantics of restricted delegation is a simple adaptation 
of the semantics in figured 

B,w,v \= t% speaksfor r 2 on (x : (f>) 

iff uj(w, /i(ti),v) fl S C uj(vj, /i(r 2 ), v) D S, 

where S = {4>[t/x\ \ r}. That is, the worldview of t\ must 
be a subset of the worldview of r 2 , but only on formulas of 
the form 0. 

B. FOCALE Kripke semantics 

A FOCALE modal model is a tuple (W, <,s,P, A, U, _L, T). 
The first part of a FOCALE modal model, (W, <, s, P, A), 
must be a modal model as in 3HI-AI As with FOCALE 
belief models, P must form a join semilattice under U. 
The intuitive interpretation of this lattice remains unchanged, 
but we replace condition Group Principal (Belief) with the 
following condition: 

Group Principal (Kripke): For all principals p and q, it 

holds that A pUq — A p D A q . 
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Fig. 6. FOCALE derivability judgment 



Top principal T has the empty accessibility relation — that is, 
A-j = — which means that T believes every formula. And 
bottom principal _!_ has the complete accessibility relation — 
that is, A± = W x W — which means that _L believes only 
valuation necessities (cf. SIII-BI) . 

Interpretation function /1 is extended to handle subprincipals 
and group principals. To interpret subprincipals, we again 
require the existence of sub w at each world w, with the 
same intuitive meaning as before. Formally, for all p, d, and 
w, we now require that A p D A sub ^^ p ^ d y This requirement 
ensures that subprincipals believe any formula believed by a 
superprincipal. When interpreting group principals, the join is 
now taken over all principals p such that K,w,v[p/x] \= <fi 
holds. This interpretation is similar to the algebra of principals 
defined in ABLP logic |fl9l 

The semantics of restricted delegation is more complicated, 
and resembles a semantics invented by Howell [20|: 

K,w,v \= T\ speaksfor r 2 on (x : <fi) 

iff for all w', w" : («/, w") E A^ T2 ) 

implies there exists w'" : w" =™.^ w'" 

and {w',w"') G A^ Tl} 

To understand this definition, first notice its use of an equiva- 
lence relation =™.j, on worlds. (We briefly postpone defining 
that relation.) Suppose, for sake of explanation, that we re- 
placed the equivalence relation with simple equality of worlds. 
Then the semantics would require (in the third line) that 
w" = w'", in which case it would simplify to 

for all «/,«/' : (w 1 , w") e ^( T2 ) 

implies (w',w") G A m(ti) , 

which itself simplifies to A^ T2 ) C A^ Tl y That is exactly 
the semantics of unrestricted delegation t\ speaksfor t 2 . So 
the generalization of equality to equivalence is the only new 
aspect of the semantics of restricted delegation. 

Intuitively, equivalence relation =^.^ deems two worlds 
to be equivalent if they agree on the validity of formula <fi 
in all valuations, assuming the existence of individuals D w . 
Formally, define w' =™.^ w" to hold iff 

Vd G D w : Vu : (M, w', v[d/x] \= <p) 

<=> {M,w",v[d/x} \= <jA. 



Returning to the (unsimplified) semantics of restricted del- 
egation, note it requires that for any edge (w',w") in r 2 's 
accessibility relation, there must also be any edge (w',w"') 
in n's accessibility relation, such that w" and w'" agree on 
the validity of <fi. That guarantees whenever t\ says 4>[ T / X ] 
holds, r 2 says 4>[t/x] also holds, because the worlds that are 
accessible to t 2 agree on the validity of (f> with the worlds that 
are accessible to t\. 

We believe that the results relating the FOCAL belief and 
Rripke semantics ( jjlVI ) could be extended to FOCALE. 

C. FOCALE proof system 

The FOCALE proof system contains all the FOCAL proof 
rules (figure |5) as well as the additional rules in figure |6] 
Restricted delegation rules RSF-I, RSF-E, RSF-R, and RSF-T 
are straightforward adaptations of the rules for unrestricted 
delegation. Rules MEMBER, SF-GROUP, and SF-SUBPRIN are 
adaptations of the NAL rules ||29l for group principals and 
subprincipals(3 

The soundness theorems for FOCALE are as follows: 

Theorem 4. IfThfi and B,w,v |= T, then B,w,v \= cf>. 

Theorem 5. IfThfj) and K,w,v \= T, then K,w,v \= <j). 

We have mechanized the proof of theorem [5] in Coq. (We 
expect that, with additional effort, the proof of theorem |4]could 
also be mechanized.) The mechanized proof contains about 
4,000 lines, as measured by wc -1. It currently uses two 
additional axioms about the interpretation of principals: 

1) If the interpretation of a term t at a world w is 
individual d, then future worlds w' must also interpret 
t as d. So, informally, the interpretation of terms can't 
change between worlds. Formally, let /i w (t) denote the 
application of to term r in world w. Formally, for all 
r, w and w', if w < w', or if there a exists p such that 
w < p w', then it must hold that fj, w (r) = ix w >(t). This 
axiom is actually provable as a theorem for all terms 
except group principals. 

2) If the interpretation of a term at a world is principal 
p, then all other worlds must interpret that term as a 
principal equivalent to p. So a term must always be 

"NAL's group monotonicity rale is a derived rale in the NAL proof system, 
and it is also a derived rule of the FOCALE proof system. We omit it here. 
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interpreted as the same principal. Formally, for all r 
and w, if p, w {r) e P then, for all w' , it must hold that 
Hw'(t) G P and ^(r) = aw(t). 
In ongoing work, we are attempting to eliminate these axioms. 

D. FOCALE vs. NAL 

FOCALE has essentially the same proof system as NAL, 
but there are a few differences: 

• NAL has second-order universal monadic quantification. 
But it uses that feature only to define speaksfor and 
false as derived forms; it was never otherwise needed 
in the examples in the NAL rationale [29 1 . So FOCALE 
eliminates it and enjoys a simpler, first-order semanticsF"! 

• NAL's term language, including principals, was not fully 
specified. FOCALE provides a full syntax, semantics, 
and proof system that we believe is consistent with the 
examples in the NAL rationale ||29l . 

• The NAL proof system is a natural deduction style system 
with hypothetical judgments. The FOCALE proof system 
instead uses localized hypotheses, which we found easy 
to work with when mechanizing the proof system in Coq. 

Finally, we deliberately designed the FOCALE proof system 
such that its theory differs in one important way from NAL's. 
We discuss our motivation for this change, next. 

There are two standard ways of "importing" beliefs into a 
principal's worldview. The first is a rule known as Necessita- 
tion: 

\~<t> 
h p says <f> 

The second is an axiom known as Unit: 

h cf) => (p says 0) 

Though superficially similar, Necessitation and Unit lead to 
different theories. 

Example 4. Machines M\ and M2 execute processes P\ and 
Pi, respectively. M\ has a register R. Let Z be a proposition 
representing "register R is currently set to zero." According 
to Unit, h Z => (Pi says Z) and h Z (P 2 says Z). The 
former means that a process on a machine knows the current 
contents of a register on that machine; the latter means that 
a process on a different machine must also know the current 
contents of the register. But according to Necessitation, ifVZ 
then h Pi says Z and h P2 says Z. Only if R is always zero 
must the two processes say so. 

Unit, therefore, is appropriate when propositions (or re- 
lations or functions) represent global state upon which all 
principals are guaranteed to agree. But when propositions 
represent local state that could be unknown to some principals, 
Unit would arguably be an invalid axiom. A countermodel 
demonstrating its invalidity is easy to construct — for example, 

20 Garg and Abadi [21 ] show that the second-order definition of speaksfor 
likewise can be eliminated in the logic ICL, which is related to CDD hence 
to NAL. 



stipulate a world w at which Z holds, and let Pi 's worldview 
contain Z but P^'s worldview not contain Z. 

FOCALE was designed to reason about state in distributed 
systems, where principals (such as machines) may have local 
state, and where global state does not necessarily exist — the 
reading at a clock, for example, is not agreed upon by all 
principals. So Unit would be invalid for FOCALE principals; 
Necessitation is the appropriate choice. 

Similarly, NAL principals do not necessarily agree upon 
global state. NAL does include Necessitation as an inference 
rule and does not include Unit as an axiom. However, NAL 
permits Unit to be derived as a theorem by the following 
proof|3 

NAL-SAYS-I 

p says (f> 

NAL-lMP-li 

<t> p says 4> 

NAL's proof system is, therefore, arguably unsound w.r.t. the 
belief semantics presented here: there is a formula (Unit) that 
is a theorem of the system but that is not semantically valid. 

One way to remedy NAL's unsoundness w.r.t. our semantics 
would be to adjust our semantics, such that Unit becomes 
valid: 

Ul: In our belief semantics, require that whenever w \= 
4>, it must hold that cf> G uj(w. v. v)F^\ 

(An equivalent condition could be imposed on the Kripke 
semantics.) But we chose not to do this because we want 
to model principals who may be ignorant of whether certain 
facts hold at a world. Indeed, in our semantics, if <fr holds at 
a world, some principals might believe (f> at that world and 
some might not. The adjustments above would instead cause 
all principals to believe </> at the world, and we find this to be 
an unacceptable loss in expressivity. 

Another way to remedy NAL's unsoundness w.r.t. our se- 
mantics would be to adjust NAL's proof system, such that Unit 
is no longer derivable. For example, a side-condition could be 
added to NAL-SAYS-I, such that 4> must be a validity!^! One 
way of accomplishing that might be to forbid uncancelled 
hypotheses in the derivation of 4>. That would prevent the 
above derivation of Unit, although we don't know what effect 
it would have on the completeness of the proof system. 

FOCALE's proof system (specifically, rule SAYS-LRl) in- 
stead prohibits derivation of Unit: Unit is invalid in our 
semantics, and our proof system is sound w.r.t. our semantics, 
so it's impossible for our proof system to derive Unit. FO- 
CALE therefore seems appropriate for reasoning about state 
in distributed systems. 

2l Rules nal-imp-i and nal-says-i can be found in (29). The brackets 
around <f> at the top of the proof tree indicate that it is used as a hypothesis [ 44 1 . 
The appearance of "1" as a super- and subscript indicate where the hypothesis 
is introduced and cancelled. 

22 U1 was omitted from the NAL rational (29]. But for the NAL proof 
system to be sound w.r.t. the informal NAL belief semantics, the condition 
should have been imposed. 

23 Fred B. Schneider, personal communication, January 31, 2013. 
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E. FOCALE vs. CDD 

NAL extends CDD's proof system [28 1, so we might suspect 
that CDD is also unsound w.r.t. our semantics. And it is. 
However, CDD has been proved sound w.r.t. a lax logic seman- 
tics OH . That semantics employs a different intuition about 
says than NAL and FOCALE. CDD 128. p. 13] understands 
p says cj) to mean "when combining the [statement <j>] that the 
[guard] believes with those that [p] contributes, the [guard] 
can conclude <f>. . . the [guard's] participation is left implicit." 
In other words, the guard's beliefs are imported into p's beliefs 
at each world. That's equivalent to our condition Ul above, 
and it results in a different meaning of says than FOCALE or 
NAL employs. 

VII. Related Work 

FOCAL has the first formal belief semantics of any autho- 
rization logic. To our knowledge, belief semantics have been 
used in only one other authorization logic, and that logic — 
NAL (29] — has only an informal semantics. Semantic struc- 
tures similar to our belief models have been investigated in 
the context of epistemic logic l26l . l27ll . Fagin et al. [25 1 call 
them syntactic models, and Konolige 11371 calls them deduction 
models. Konolige proves the equivalence of deduction models 
and Kripke models for classical propositional logic. 

Garg and Abadi [21] give a Kripke semantics for a logic 
they call ICL, which could be regarded as the propositional 
fragment of FOCAL. The ICL semantics of says, however, 
uses invisible worlds to permit principals to be oblivious to the 
truth of formulas at some worlds. That makes Unit (§ TVI-D) 
valid in ICL, whereas Unit is invalid in FOCAL. 

Genovese et al. [22] study several uses for Kripke semantics 
with an authorization logic they call BL s f, which also could 
be regarded as the propositional fragment of FOCAL. Using 
their Kripke semantics, they show how to generate evidence 
for why an access should be denied, how to find all logical 
consequences of an authorization policy, and how to determine 
which additional credentials would allow an access. These 
questions would also be interesting to address in FOCAL. 
However, the Kripke semantics of BL s f differs from FOCAL's 
in its interpretation of both says and speaksfor, so the results 
of Genovese et al. are not immediately applicable to FOCAL. 

Garg and Pfenning [32| prove non-interference properties 
for a first-order, constructive authorization logic. Roughly 
speaking, these properties mean that one principal's beliefs 
cannot interfere with another principal's beliefs unless there is 
some trust relationship between those principals. Abadi [28 1 
also proves such a property for dependency core calculus 
(DCC), which is the basis of authorization logic CDD. We 
believe that similar properties could be proved for FOCAL. 

Garg and Pfenning [48 1 reject Unit in their authorization 
logic BLo, as we did in FOCAL. They demonstrate that 
Unit leads to counterintuitive interpretations of some formulas 
involving delegation. Abadi [ 38 ] notes that Unit "should be 
used with caution (if at all)," and suggests replacing it with 
the weaker axiom (p says <f) (q says p says <fi). Genovese 
et al. [22 1 adopt that axiom; in their Kripke semantics, the 



frame condition that validates it is: w < p u < q v implies 
w < q v. That condition could be added to FOCAL. 

VIII. Concluding Remarks 

This work began with the idea of giving a Kripke semantics 
to NAL. Proving soundness — at first on paper, not in Coq — 
turned out to be surprising, because Unit is semantically 
invalid but derivable in NAL ( WI-Dl l. As we continued 
proving soundness, we (re)discovered the need to impose 
frame conditions on the two kinds of accessibility relations 
involved in the Kripke semantics ( j3IH-CI ). The complexity of 
the resulting Kripke semantics motivated us to seek a simpler 
semantics. We were inspired by the informal semantics of 
the NAL rationale [29] and elaborated that into our belief 
semantics (§HB- 

Mechanizing the proof of soundness in Coq was frequently 
rewarding. Even though it took a fair amount of effort, it 
exposed several bugs (in either our proof system or our 
semantics) and gave us high confidence in the correctness of 
the result. We expect future benefits, too. From the formal- 
ization of the FOCALE proof system in Coq, we could next 
extract a verified theorem checker. It would input a proof of 
a FOCALE formula, expressed in the FOCALE proof system, 
and output whether the proof is correct. Coq would verify that 
the checker correctly implements the FOCALE proof system. 
This theorem checker could replace the current Nexus [18] 
theorem checker, which is implemented in cE A verified 
theorem checker would arguably be more trustworthy than the 
C implementation, thus increasing the trustworthiness of the 
operating system. 

One of the more intriguing consequences of our semantics 
is that says is not a monad [49]. Since Abadi's invention of 
CDD l28l . says is frequently assumed to satisfy the monad 
laws, which include Unit(3 In our semantics, however, Unit 
is invalid, and we've argued here that it is inappropriate for 
distributed systems. We don't know whether rejecting the 
monad laws will have any practical impact on FOCAL. But 
the seminal authorization logic, ABLP |19|, didn't adopt the 
monad laws, so at least FOCAL is in good company. 
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Appendix A 
Proofs 

Proposition [7] 

Proof: By structural induction on qb. This proof has been 
mechanized in Coq. ■ 
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Proposition [2] 

Proof: Let B = k2b(K). For B to be well-formed it must 
satisfy several conditions, which were defined in §|II] We now 
show that these hold for any such B constructed by k2b. 

1) Worldview Montonicity. Assume w < w' and G 
u(w,p,v). By the latter assumption and the definition 
of k2b, we have that K,w,v \= p says 0. From 
proposition Q] it follows that K,w',v \= p says 0. By 
the definition of k2b, it then holds that G ui(w' ,p,v). 
Therefore uj(w,p,v) C uj(w',p, v). 

2) Principal Equality (Belief). Assume p = p' . Then by 
Principal Equality (Kripke), < p equals < p >. By the 
Kripke semantics of speaksfor, it follows that K,w,v \= 
p says iff K,w,v \= p' says 0. By the definition of 
k2b, therefore, lu(w,p,v) C ui(w,p',v). 

3) Deductive Closure. Assume r h 0. By rule SAYS-LRI, 
we have p says r h » says 0. By theorem [3] the 
following fact follows O if, for all ip 6 T, it holds 
that K,w,v \= p says then it also holds that 
K,w,v \= p says 0. Assume T C u(w,p,v). Then for 
all 0> G T, it holds that %p G uj(w,p, v). By the definition 
of for all %p G T, it follows that K,w,v \= p says 
•0. Therefore, by the fact we previously established, 
K,w,v \= p says 0. By the definition of k2b, we have 
G lu(w,p, v). 

4) Says Transparency. We prove the "iff" by proving both 
directions independently. (=>-) Assume G u)(w,p,v) 
and p = /i(r). By the definition of k2b, it holds that 
K,w,v \= t says 0. From IT and F2, it follows that 
K,w,v |= t says (r says 0). By the definition of k2b, 
therefore, (r says 0) € cu(w,p,v). (<=) Assume (t says 
0) G u>(w,p, v) and p = /i(r). By the definition of k2b, 
it holds that K,w,v \= r says (r says 0). From ID, it 
follows that K,w,v \= r says 0. By the definition of 
k2b, therefore, G uj(w,p, v). 

5) Hand-off. Assume r' speaksfor r G lu(w, h(t),v). By 
the definition of it holds that K,w,v,\= r says 
(t' speaksfor t). Expanding the semantic definition of 
says, we have that, for all w' and w" such that w < 
w' <^i(t) w "' ^ holds that K,w",v \= r' speaksfor r. 
Expanding the semantic definition of speaksfor, we have 
that Reach Acc(/j,(t'),w") 3 Reach Acc(h(t),w"). By 
the definition of ReachAcc, we have the following fact: 
ReachAcc(fi(T') 7 w') D Reach Acc{^{t) , w ') . Assume 
G u>(w, /i(r'),u). By the definition of k2b, it holds 
that K,w,v |= t' says <\>. Expanding the semantic 
definition of says, we have that, for all w' and w" such 
that w < w' < m (t') w ", it holds that K,w",v j= 
0. Now consider any w'" such that < P ( T ) w'". 
From the fact we previously established, it follows that 
w' <^(t') w "' '■ O ne sucn w "' is w " itself, so we 
have w 1 <^( T ') We can then conclude for all w' 
and w" such that iv < w' < M ( T ) w", it holds that 

26 Although this is a forward reference to a theorem we haven't proved yet, 
that theorem does not rely on the current proposition, so there is no circularity. 



K,w",v \= <p. By the semantic definition of says, we 
have that K,w,v \= r says <fi holds. By the definition 
of k2b, it holds that G lu(w, /i(t),v). Therefore 
uj(w, h(t'),v) C uj(w, /i(r), v). 

■ 

Theorem [7] 

Proof: By structural induction on <fi. All of the cases 
except says and speaksfor are straightforward, because those 
are the only two cases where the interpretation of formulas 
differs in the two semantics. 

• Case = t says -0. Suppose K,w,v \= r says if). By 
the definition of k2b, formula t/j G w(w, /i(r), v). By the 
belief semantics of says, it must hold that k2b(K). w, v \= 
t says -0. 

• Case — t speaksfor r'. Suppose K,w,v \= t speaksfor 
t'. Consider any ip in uj(w, /i(r), v). By the definition 
of k2b, it holds that K,w,v |= t says t/j. From the 
Kripke semantics of says and speaksfor, it follows that 
K,w,v \= t' says ip. By the definition of k2b, it 
thus also holds that tp G lj(w, /j,(t'),v). So for all ip, 
if ijj G (jj(w, ii(t),v), then -0 G ui(w, fi(r'),v). Thus 
uj(w, fi(r),v) G /i(t'), w). By the belief semantics 
of speaksfor, it therefore holds that k2b(K),w,v \= 
t speaksfor r'. 

■ 

Lemma 1. B,w,v \= r says T implies T C /u(t), w). 

Proof: Assume B,w,v \= t says T. By the semantics 
of says, we have that for all ip £ T, it holds that G 
/i(r), w), hence T G /i(r), w). ■ 

Theorem |2] 

Proof: By induction on the derivation of T h 0. All of the 
cases except those involving says and speaksfor are routine. 
Let B,w,v \= T denote that, for all ip e T, it holds that 

B,w,v \= tp. 

1) SAYS-LRI. Assume that T h 0. We need to show 
that B,w,v \= t says T implies B,w,v \= r says 

0. So assume B,w,v \= t says T. By Lemma 

1, r C uj(w, (jl{t) : v). By Deductive Closure, G 
uj(w, /j,(t),v). Therefore, by the semantics of says, we 
have B,w,v |= t says 0. 

2) SAYS-LI. Assume that T h r says 0. We need to 
show that B,w,v \= t says T implies B,w,v \= 
t says 0. So assume B,w,v |= r says T. By 
Lemma 1, T C oj(w, fi(r),v). By Deductive Closure, 
t says G uj(w, fi(r),v). By Says Transparency, 
G oj(w, fi(r),v). Therefore, by the semantics of says, 
B,w,v \= t says 0. 

3) SAYS-RI. Assume that t says T h 0. We need to 
show that B,w,v \= r says T implies B,w,v \= 
t says 0. So assume B,w,v |= t says T. By 
Lemma 1, T C /i(r), v). By Says Transparency, 
(r says T) C /i(r), w). By Deductive Closure, 
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4> G ui(w, h{t), v). Therefore, by the semantics of says, 
B,w 7 v \= t says 4>. 

4) SF-I. We need to show that B,w,v \= T implies 
B,w,v \= Ti speaksfor T2- Assume B,w,v \= T. 
Also assume that T h says (n speaksfor t^). By the 
inductive hypothesis, if B,w,v \= T, then B,w,v \= 
T2 says (ri speaksfor T2). Thus B,w,v |= t-2 says 
(ti speaksfor T2). By the semantics of says, we have 
T2 says (ti speaksfor T2) G oj(w, ufa), v). By Hand- 
off, u>(w, h(ti), v) G ui(w, /i(r 2 ), u). By the semantics 
of speaksfor, B,w,v \= T\ speaksfor t 2 holds. 

5) SF-E. We need to show that B,w,v \= T implies 
B,w,v \= T2 says 4>. So assume B,w,v \= T. Also 
assume that T h ti speaksfor T2 and T h ti says 0. 
By the inductive hypothesis, if B,w,v \= T, then 
B,w,v \= T\ speaksfor T2 and B,w,v ^= t\ says 
0. So B,w,v \= ti speaksfor T2 and B,w,v \= 
T\ says (/). By the semantics of speaksfor and says, 
we have w(u>, /u(ti), w) C ^(r 2 ), w) and </> G 

/z(ri), w). Thus G u(w, h(t2),v). Therefore, by 
the semantics of says, B,w,v \= r 2 says (/>. 

6) SF-R. Straightforward from the reflexivity of G on 
worldviews. 

7) SF-T. Straightforward from the transitivity of G on 
worldviews. 

■ 

Theorem \3\ 

Proof: This theorem is actually a corollary of theorem 
because FOCALE generalizes FOCAL. ■ 

Theorem [5] 

Proof: By induction on the derivation of T h <f>. The proof 
generalizes the proof of theorem [2] The only interesting, new 
cases are for subprincipals and group principals: 

1) MEMBER. We need to show that if B,w,v \= T, then 
B,w,v |= t speaksfor {x : <f>}. So assume B,w,v \= T. 
Also assume that T h (/>[t/x}. By the inductive hy- 
pothesis, if B,w,v \= r then B,w,v \= 4>[t/x). So 
we have B,w,v |= (/>[t/x]. Therefore r satisfies the 
characteristic predicate defining group {x : </>}. By 
definition, p({x : (j)}) — \_\{p \ B, w, v\p/x] \= <j)}. 
One of the principals p in that join must be [i(t). So 
: (j>\) = p{r) U\J{p I B,w,v\p/x] h <W- 
Let II = I B,w,v[p/x] \= </>}. Then we have 

fi.({x : (/)}) = p(r) U II; call this Fact 1. Consider 
uj(w, n({x : (/>}), v). We can rewrite it, using Fact 1, as 
cu(w, /j,(t) un, v). By Group Principal (Belief), that can 
be rewritten as the deductive closure of u>(w, p(r), v) U 
u(w,H,v). Again using Fact 1, we can rewrite that 
as the deductive closure of oj(w, /j.(t), v) Uw(ai,n,»). 
So, following that chain of rewriting, we have that 
u(w,p({x : 4>}),v) equals the deductive closure of 
u(w, p(t),v) D ui(w,H,v). Since taking the deductive 
closure can only add formulas, never remove them, 
it follows that lu(w, /i(r), v) C uj(w,p({x : cj>}),v). 



Therefore, by the semantics of speaksfor, we have that 
B,w,v |= r speaksfor {x : <j>}. 

2) SF-GROUP. We need to show that B,w,v \= T im- 
plies B,w,v \= {x : (/>} speaksfor r. So assume that 
B,w,v \= r. Also assume that T,(f) h x speaksfor r, 
and that x g FV(t) U FV(T). By the inductive hy- 
pothesis, we have that if B,w,v |= T, <fi then B,w,v \= 
x speaksfor r. But since we already have B,w,v \= T, it 
follows that B,w,v |= <\> implies B,w,v \= x speaksfor 
t. Note that B,w,v \= cf> holds whenever v maps x 
to a principal of which characteristic predicate <f> holds. 
Call that principal p. Then whenever <f> holds of p, it 
also holds that B,w,v \= p speaksfor r, hence by the 
semantics of speaksfor, that aj(w,p, v) G lu(w, p(r),v). 
Let II = p({x : 0}) = \J{P I B,w,v\p/x] \= <f>}. 
By Group Principal (Belief), worldview lu(w,H, v) is 
the deductive closure of {J peU Lu(w,p,v). Since for 
all p G n, characteristic predicate (f> holds of p, it 
follows that uj(w,p,v) C u(w, /i(r), v). Let Wn = 
(Upen^^'P^))- Thus Wn Q u(w, fj,(r), v). The de- 
ductive closure of Wn is w(u>, II, v). Are there any for- 
mulas in oj(w, il, v) that are not in lo(w, /i(r), v)l Con- 
sider tp G uj(w,H,v), such that ijj £ {J p£U uj(w,p,v). 
Then there must be T G lj pen u(w,p, v), such that 
T h ip. But since T C lj p en w ( u 'j-P: u ) ^= w(iu, ^(r), w), 
it must be that ?/> G (jj(w 7 /x(t), u), because ui(w, /x(r), u) 
is a worldview hence is deductively closed. Thus, we 
have u)(w,H,v) G uj(w, /i(t), v). By the semantics of 
speaksfor, we have B,w,v \= {x : 0} speaksfor t. 

3) SF-SUBPRIN. By the semantics of speaksfor, we must 
show that uj(w, /x(ri), v) C lu(w, sm6 iu (/x(ti), /z(t2)), w) 
holds. This follows immediately from the definition of 
sub w . 

■ 

Theorem \5\ 

Proof: By induction on the derivation of T h <f>. This 
proof has been mechanized in Coq. ■ 
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